From 93d4366b71a239694a0905a6690ca2f08eb5a9e8 Mon Sep 17 00:00:00 2001
From: Derek Roberts <derek.roberts@gmail.com>
Date: Fri, 9 Feb 2024 09:43:58 -0800
Subject: [PATCH] feat(ci): analysis workflow (#596)

* .github/workflows/unit-tests.yml -> .github/workflows/analysis.yml

* Analysis + CodeQL, cronjob, interrupts
---
 .../{unit-tests.yml => analysis.yml}          | 26 +++++++++++++++----
 .github/workflows/merge-main.yml              | 24 -----------------
 2 files changed, 21 insertions(+), 29 deletions(-)
 rename .github/workflows/{unit-tests.yml => analysis.yml} (67%)

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/analysis.yml
similarity index 67%
rename from .github/workflows/unit-tests.yml
rename to .github/workflows/analysis.yml
index c41393f2d..73f00d67d 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/analysis.yml
@@ -1,10 +1,12 @@
-name: Unit Tests and Analysis
+name: Analysis
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize, ready_for_review]
+    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
   push:
     branches: [main]
+  schedule:
+    - cron: "30 8 1 * *" # 8:30 UDT = 12:30 PDT, runs monthly
   workflow_dispatch:
 
 concurrency:
@@ -14,7 +16,7 @@ concurrency:
 jobs:
   tests:
     name: Unit Tests
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    if: ${{ ! github.event.pull_request.draft }}
     runs-on: ubuntu-22.04
     steps:
       - uses: bcgov-nr/action-test-and-analyse@v1.1.0
@@ -32,16 +34,30 @@ jobs:
             -Dsonar.projectKey=nr-fom
           sonar_token: ${{ secrets.SONAR_TOKEN }}
 
+  codeql:
+    name: CodeQL
+    if: ${{ ! github.event.pull_request.draft }}
+    needs: [tests]
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+      - uses: github/codeql-action/analyze@v3
+
   # https://github.com/marketplace/actions/aqua-security-trivy
   trivy:
     name: Trivy Security Scan
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    if: ${{ ! github.event.pull_request.draft }}
+    needs: [tests]
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.17.0
+        uses: aquasecurity/trivy-action@0.16.1
         with:
           format: "sarif"
           output: "trivy-results.sarif"
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
index 0b02a232c..e7816d862 100644
--- a/.github/workflows/merge-main.yml
+++ b/.github/workflows/merge-main.yml
@@ -16,30 +16,6 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  codeql:
-    name: CodeQL Analysis
-    runs-on: ubuntu-22.04
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Initialize
-        uses: github/codeql-action/init@v3
-        with:
-          languages: javascript
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
   deploy-test:
     name: TEST Deploys
     environment: test